Welcome to my blog. Here, I will post items of interest to me most likely focusing on:

Security in Healthcare Information Technology

Electronic Voting Security

Computer and Network Security

Sailing

Poker

Sports: Soccer, tennis, golf, football, Michigan sports

Tuesday, September 12, 2006

My day at the polls - Maryland primary '06

I don't know where to start. This primary today is the third election that I have worked as an election judge. The last two elections were in 2004, and I was in a small precinct in Timonium, MD. This time, I was in my home precinct about 1/2 a mile from my house. We had 12 machines, over 1,000 voters and 16 judges. I woke up at 5:30 in the morning and was at the precinct before 6:00. It is now 10:18 pm, and I just got home a few minutes ago. As I have made it my custom, I sat down right away to write about my experience while everything was still fresh. In anticipation of this, I took some careful notes throughout the day.

The biggest change over the 2004 election was the introduction of electronic poll books that we used to check in voters. I was introduced to these in election judge training a few weeks ago. These are basically little touchscreen computers that are connected to an Ethernet hub. They each contain a full database of the registered voters in the county, and information about whether or not each voter has already voted, in addition to all of the voter registration information. The system is designed so that the machines constantly sync with each other so that if a voter signs in on one of them and then goes to another one, that voter will already be flagged as having voted. That was the theory anyway. These poll books turned out to be a disaster, but more on that later.

Around 7:15, when we had been open for business for 15 minutes already, a gentlemen shows up saying that he is a judge from another precinct nearby and that they did not receive any smartcards, so that they could not operate their election. We had 60 smartcards, and the chief judge suggested that we give them 20 so that they could at least get their election started. As she was handing them over, I suggested that we had to somehow verify his claim. After all, anyone could walk in off the street and claim this guy's story, and we would give them 20 access cards. The chief judge agreed with me. The guy pulled out his driver's license to prove who he was, but I told him that we were not doubting who he was, we just wanted to verify that we should give him the cards. He seemed to understand that. After calling the board of elections, we were told to give him the cards and we did. A little later, several voters who came in informed us that news reports were saying that in Montgomery county, there was a widespread problem of missing smatcards. I could only imagine what a nightmare that was for those poll workers because as it was, our precinct did not have this problem, and as you'll see, it was still tough going.

My precinct uses Diebold Accuvote TS, the same one that we analyzed in our study 3 years ago. The first problem we encountered was that two of the voting machine's security tag numbers did not match our records. After a call to the board of elections, we were told to set those aside and not use them. So, we were down to 10. We set up those machines in a daisy chain fashion, as described in the judge manual, and as we learned in our training. We plugged the first one into the wall and taped the wire to the floor with electric tape so nobody would trip over it. About two hours into the voting, I noticed that the little power readout on the machines was red, and I thought that this meant that the machines were on battery power. I pointed this out to one of the chief judges, but she said this was normal. An hour later, I checked again, and this time, the machines were on extremely low power. This time, I took the plug out to of the wall and tried another outlet nearby. The power icon turned green. I showed several of the judges, and we confirmed that the original outlet was indeed dead. Had I not checked this twice, those machines would have died in the middle of the election, most likely in the middle of people voting. I hate to think about how we would have handled that. A couple of hours later, the board of elections informed us that we should use the two voting machines with the mismatched tags, so we added them and used them the rest of the day (!).

When we were setting up the electronic poll books, I took over because I was more comfortable with the technology, and the others quickly deferred to me. So, a couple of hours into the election, when one of the poll books seemed to be out of sync with the others, the judges came and brought me to have a look. It appeared that this poll book was not getting synced with the others. I tested it by waiting for someone to sign in with a different poll book, and then a few minutes later trying to sign in that voter on the one in question. The voter was shown as having not voted yet. I repeated this test for about 20 minutes, but it never registered that voter as having voted, and the poll book was falling behind - about 30 by then - the other poll book machines. I suggested rebooting that machine, and we tried that, but it did not change anything. I pointed out to the chief judges who were huddled around me as I experimented, that as time went by, this poll book was going to fall further and further behind the others, and that if someone signed in on the others, they would be able sign in again on this one and vote again. After a call to the board of elections, we decided to take this one out of commission. This was very unfortunate, because our waiting lines were starting to get very long, and the check-in was the bottleneck. The last few hours of the day, we had a 45 minute to an hour wait, and we had enough machines in service to handle the load, but it was taking people too long to sign in.

The electronic poll books presented an even bigger problem, however. Every so often, about once every 15-25 minutes, after a voter signed in, and while that voter's smartcard was being programmed with the ballot, the poll book would suddenly crash and reboot. Unfortunately, the smartcard would not be programmed at the end of this, so the poll worker would have to try again. However, the second time, the machine said that the voter had already voted. The first few times this happened, we had some very irate voters, and we had to call over the chief judge. Soon, however, we realized what was happening, and as soon as the poll book crashed, we warned the voter that it would come up saying that they had already voted, but that we knew they hadn't. Then, the chief judge would have to come over, enter a password, and authorize that person to vote anyway. Then we had to make a log entry of the event and quarantine the offending smartcard. Unfortunately, the poll books take about 3 minutes to reboot, and the chief judges are very scarce resources, so this caused further delays and caused the long line we had for most of the afternoon and evening while many of the machines were idle. Another problem was that the poll book would not subtract a voter from its total count when this happened, so every time we had an incident, the poll book voter count was further off the mark. We had to keep track of this by hand, so we could reconcile it at the end of the day.

At times, the remaining two poll books were way out of synch, but after a while, they caught up with each other. When the lines got really long, we considered the idea of trying to use the third one that had caused problems, but we all agreed that we would feel very stupid if all of them started crashing more. I was worried that synching three of these on an Ethernet hub was more complex than 2, and in fact, they were crashing a bit less often when we had only 2. The whole time I was worried about what we would do if these thing really died or crashed so badly and so often that we couldn't really use them. We had no backup voter cards, so the best we could have done would have been to start letting everybody vote by provisional ballots. However, we had two small pads of those ballots, and we would have run out quickly. I can't imagine basing the success of an election on something so fragile as these terrible, buggy machines.

Throughout the early part of the day, there was a Diebold representative at our precinct. When I was setting up the poll books, he came over to "help", and I ended up explaining to him why I had to hook the ethernet cables into a hub instead of directly into all the machines (not to mention the fact that there were not enough ports on the machines to do it that way). The next few times we had problems, the judges would call him over, and then he called me over to help. After a while, I asked him how long he had been working for Diebold because he didn't seem to know anything about the equipment, and he said, "one day." I said, "You mean they hired you yesterday?" And he replied, "yes, I had 6 hours of training yesterday. It was 80 people and 2 instructors, and none of us really knew what was going on." I asked him how this was possible, and he replied, "I shouldn't be telling you this, but it's all money. They are too cheap to do this right. They should have a real tech person in each precinct, but that costs too much, so they go out and hire a bunch of contractors the day before the election, and they think that they can train us, but it's too compressed." Around 4 pm, he came and told me that he wasn't doing any good there, and that he was too frustrated, and that he was going home. We didn't see him again.

I haven't written at all about the Accuvote machines. I guess I've made my opinions about that known in the past, and my new book deals primarily with them. Nothing happened today to change my opinion about the security of these systems, but I did have some eye opening experiences about the weaknesses of some of the physical security measures that are touted as providing the missing security. For example, I carefully studied the tamper tape that is used to guard the memory cards. In light of Hursti's report, the security of the memory cards is critical. Well, I am 100% convinced that if the tamper tape had been peeled off and put back on, nobody except a very well trained professional would notice it. The tamper tape has a tiny version of the word "void" appear inside it after it has been removed and replaced, but it is very subtle. In fact, a couple of times, due to issues we had with the machines, the chief judge removed the tamper tape and then put it back. One time, it was to reboot a machine that was hanging when a voter was trying to vote. I looked at the tamper tape that was replaced and couldn't tell the difference, and then it occurred to me that instead of rebooting, someone could mess with the memory card and replace the tape, and we wouldn't have noticed. I asked if I could play with the tamper tape a bit, and they let me handle it. I believe I can now, with great effort and concentration, tell the difference between one that has been peeled off and one that has not. But, I did not see the judges using that kind of care every time they opened and closed them. As far as I'm concerned, the tamper tape does very little in the way of actual security, and that will be the case as long as it is used by lay poll workers, as opposed to CIA agents.

As we were computing the final tallies towards the end of the evening, one of the Diebold machines froze. We had not yet printed the report that is used to post the results. One of the judges went to call the board of elections. She said she was transfered and then disconnected. We decided to do a hard reboot of it after we closed down the other machines. When we finished the other machines, we noticed that the problem one had somehow recovered, and we were able to finish. Strange because it was frozen for about 10 minutes.

So, this day at the polls was different from my two experiences in 2004. I felt more like an experienced veteran than a wide eyed newbie. The novelty that I felt in 2002 was gone, and I felt seasoned. Even the chief judges often came to me asking advice on how to handle various crises that arose. Several other suggested that I should apply to be a chief judge in the next election cycle, and I will probably do that. The least pleasant part of the day was a nagging concern that something would go terribly wrong, and that we would have no way to recover. I believe that fully electronic systems, such as the precinct we had today, are too fragile. The smallest thing can lead to a disaster. We had a long line of "customers" who were mostly patient, but somewhat irritated, and I felt like we were not always in a position to offer them decent customer service. When our poll books crashed, and the lines grew, I had a sense of dread that we might end up finishing the day without a completed election. As an election judge I put aside my personal beliefs that these machines are easy to rig in an undetectable way, and become more worried that the election process would completely fail. I don't think it would have taken much for that to have happened.

One other thing struck me. In 2004, most voters seemed happy with the machines. This time around, many of them complained about a lack of a paper trail. Some of them clearly knew who I was and my position on this, but others clearly did not. I did not hear one voter say they were happy with the machines, and a dozen or so expressed strong feelings against them.

I am way too tired now (it's past 11 pm) to write any kind of philosophical ending to this already too long blog entry. I hope that we got it right in my precinct, but I know that there is no way to know for sure. We cannot do recounts. Finally, I have to say a few words about my fellow poll workers. We all worked from 6 a.m. to past 10 p.m. These volunteers were cheerful, pleasant, and diligent. They were there to serve the public, and they acted like it. I greatly admire them, and while the election technology selection and testing processes in this country make me sick, I take great hope and inspiration from a day in the trenches with these people.